I've recently noticed that when I resolve the host for the default 127.0.0.1 on my computer, I get a result of coolwwwsearch.com. Is this indicative of being plagued by the CWS Google nuisance, or is there a plausible explanation for this such as some protective software changing settings? (Pest Patrol, Spybot S&D, Adaware, TD3, Wormguard, NAV 20004)

I was infected with the CWS Google a little while ago and I THOUGHT I was clean after a reformat and testing did not result in any positive findings. TD3 even comes up clean for trojans or anything suspicious. Is it possible that I have an unknown CWS variant and is showing up when I resolve the local host? I've run both the Smart CWS and CWS Shredder and come up clean.

Is this something to be concerned about or am I suffering from paranoia from the hassle of dealing with removing CWS in the past? :-\

Any information would be appreciated.

Thanks.
LS

Welcome, LS. Sorry to see you suffering so. Something is definitely wrong there. As you probably know, the resolved name should be Local Host. See this (http://www.majorgeeks.com/download4113.html) site to try to rid yourself of coolwwwsearch. Let us know if your successful.


Edit: See this (http://forums.techguy.org/t142771.html) site for more info on your problem...

Been there, done that. Everything comes back clean. :(

In the Hijack this forum they said they could find nothing wrong in my log. My search page, nor my homepage are hijacked. Both the Smart Killer and CWS Shredder come up clean. Which is why I ended up reformatting since no one could find anything.

The place where the pest seems to show itself is in Yahoo Game rooms. Text ads are sent in to visit a free 'P' site as well as for chess games. My browser seems to slow down tremendously as well when it happens.

Port Explorer does not give an unusual reading when I resolve the local host. Only TDS3. Yet nothing suspicious comes up in scans. I know CWS is not a trojan but TD3 is the only thing showing a reference to it. Which is why I thought I'd ask here if anyone had any ideas.

All this makes me think that this may be a new or unknown variation.

I am at wits end. Any other suggestions aside from taking a sledgehammer to my computer? ;)

LS

Wild Guess here - did you try turning System Restore off? And then turn it back on.

I have Win 98SE so no system restore. I do have Go Back however that was disabled during the reformat and everything was supposedly wiped clean from the two hard drives. In fact, I did two reformats just cuz I wanted to be sure to get rid of everything, and was a bit peeved with this nuisance and felt like venting. :P Apparently it was ineffective.

LS

Wow. I'm at a point here way beyond my expertise. I'm hoping someone from DCS might be listening. I'm sure they could help.

I've always thought a format of the hard drive would cure most ills. I'm not familiar with this pest, but is it possible that it could have infected something else in your home network (router, server, etc...)? ???

Thanks for your help. I would almost believe it was a root kit IF I were susceptible to one. As far as I know Win 98 is not. I too thought reformatting would solve things. Shows me how little I know.

I'm learning how to use Port Explorere so maybe that will help me to track down the problem and maybe they can help me out in their forum.

Again thanks for trying. It was very much appreciated.

LS

Root kit? Sounds like you know more about this stuff than I do. I have read where some malware can infect the BIOS. I don't believe that is changed with a format.

Edit: Also see this (http://www.tek-tips.com/viewthread.cfm?spid=760&newpid=760&sqid=858784) thread about using CWShredder. But I would think if a reformat didn't do the trick, CWShredder wouldn't either.

Hi, lostsoul

Me thinks if you have the latest PE database and shows nothing [red], then TDS is giving you a wrong reading.

The was a post about TDS domain database [old] and and update for it.

Which make sense as that is PE's job.

Take Care,
TheQuest 8)

Edit: Read this Link:-#5 & # 10 portref. txt updates (http://www.wilderssecurity.com/showthread.php?t=20888&highlight=domain+database)

I only know about root kits cuz of this nuisance. I am no techie geek believe me. Trying to find a solution tends to take me in many different directions and picking up things here and there along the LONG and well-traveled roads.

I had not thought about a BIOS infection. Although come to think of it I did have a problem with Windows identifying the hard drives after the first reformat.

Any idea on where I can look up information about a BIOS Malware infection or just do a search on Google and hope I am acutally using Google?

LS

-{ Quote: "Hi, lostsoul

Me thinks if you have the latest PE database and shows nothing [red], then TDS is giving you a wrong reading.

The was a post about TDS domain database [old] and and update for it.

Which make sense as that is PG job.

Take Care,
TheQuest 8)

Edit: Read this Link:-#5 & # 10 portref. txt updates (http://www.wilderssecurity.com/showthread.php?t=20888&highlight=domain+database)" }-
Thanks. I have not updated PE since I just installed it last night. I was concentrating on protection and cleaning updates primarily. I'll do that right now and see what happens.

Although TD3 did give me the expected resolve result right after the reformat and only started giving the coolweb late afternoon yesterday.

LS

-{ Quote: "Any idea on where I can look up information about a BIOS Malware infection or just do a search on Google and hope I am acutally using Google?" }-
I would just do a web search. And I may be wrong in my prognosis. I hate to continue with suggestions from here on. It would just be the blind leading the blind, if you know what I mean. I may do more damage than good.

Hi, lostsoul

Your BIOS should be protected by default from being wrote to.

Unless you have turn it off if not, and if you do not know how to turn if off.

Then your BIOS is safe as nothing can turn it protection off.

Because it is done with DEL at Boot.

Take Care,
TheQuest 8)

PS: To date I have Updated my BIOS 11 times. [I am aways playing with my BIOS to Overclock]

-{ Quote: "Hi, lostsoul

Me thinks if you have the latest PE database and shows nothing [red], then TDS is giving you a wrong reading.

The was a post about TDS domain database [old] and and update for it.

Which make sense as that is PE's job.

Take Care,
TheQuest 8)

Edit: Read this Link:-#5 & # 10 portref. txt updates (http://www.wilderssecurity.com/showthread.php?t=20888&highlight=domain+database)" }-
Ok here is probably a dumb question. If I've updated TDS3 earlier today (the databases) using the update feature is this the same thing you are talking about in this post?

Also, if I've just downloaded PE would it be up to date in the database? If not, how would I go about updating it. I have not read through the entire help files yet, so if you can point me in the right direction I'd really appreciate it.

Thanks,

LS

As for red entries in PE, I do get them with Time Waiting as their status but they disappear relatively quickly once they appear once I switch PE on to view. I've just starting logging everything so I can go back to view things once I get more familiar with the program.

-{ Quote: "Hi, lostsoul

Your BIOS should be protected by default from being wrote to.

Unless you have turn it off if not, and if you do not know how to turn if off.

Then your BIOS is safe as nothing can turn it protection off.

Because it is done with DEL at Boot.

Take Care,
TheQuest 8)

PS: To date I have Updated my BIOS 11 times. [I am aways playing with my BIOS to Overclock]" }-
I've not changed the default settings for the BIOS so I reckon I'm safe.

Thanks TheQuest!

LS

-{ Quote: "Also, if I've just downloaded PE would it be up to date in the database? If not, how would I go about updating it." }-Click HELP>CHECK FOR>NEW PORT AND DOMAIN DATABASES

-{ Quote: "Ok here is probably a dumb question. If I've updated TDS3 earlier today (the databases) using the update feature is this the same thing you are talking about in this post?
" }-No. You have to go to this (http://tds.diamondcs.com.au/portref.txt) site and download the text file containing the port references.

EDIT: Read Quest's POST #9 above for more details on updating TDS's port reference database

TheQuest settled things for me. I'm safe in this ONE area. Thanks for the suggestion though, it allowed me to scratch one thing off the list of things to check.

LS

-{ Quote: "Click HELP>CHECK FOR>NEW PORT AND DOMAIN DATABASES

No. You have to go to this (http://tds.diamondcs.com.au/portref.txt) site and download the text file containing the port references.

EDIT: Read Quest's POST #9 above for more details on updating TDS's port reference database" }-

OK, PE was up to date so I'm fine there and I'm off to finish resaving the txt file I downloaded earlier to update TDS3. Thanks.

I've noticed a lot of strange behavior in PE. ( a lot of red that disappears once I notice it in the program, AND my logging was turned off even though I had set it to log earlier today) I reckon I need to focus on that program to get a handle on the coolweb problem. At least now I have a place to keep digging in instead of going around in circles.

LS

-{ Quote: "I've noticed a lot of strange behavior in PE. ( a lot of red that disappears once I notice it in the program, AND my logging was turned off even though I had set it to log earlier today) " }-
You can set PE to highlight those dead sockets for longer (up to 10 seconds). Change that setting. Make sure your logging to your text file, and set it to unlimited size for now.

Hi,

First of all:
I have to leave the HijackThis-logs to the HJT-experts !

I was wondering:

1.
How is your HOSTS file looking (the one without any extension).

2.
Can you show us exactly what your TDS-3 says when you do a Resolve Target Host.

3.
Are you using a firewall?


=======
About 1:
Your HOSTS file should begin with this line (at least as the first line without beginning the character #):

127.0.0.1 localhost


About 2:
2-A.
When I (also at W 98 SE) do a Resolve Target Host, I get:
[DNS] Resolve IP: 127.0.0.1
[DNS] Full name: localhost
[DNS] IP address 1: 127.0.0.1
[DNS] Resolve time: 5.957031E-02 seconds.

2-B.
Now I changed my first line in HOSTS (the first line not beginning with a character #) into:
127.0.0.1 coolwwwsearch.com

And then TDS-3, Resolve Target Host, tells me:
[DNS] Resolve IP: 127.0.0.1
[DNS] Full name: coolwwwsearch.com
[DNS] IP address 1: 127.0.0.1
[DNS] Resolve time: 4.980469E-02 seconds.

-{ Quote: "

About 1:
Your HOSTS file should begin with this line (at least as the first line without beginning the character #):

127.0.0.1 localhost
" }-
Great idea, FanJ! :D I'm sure that's it. Do you have any idea why a reformat didn't take care of this? I have to assume he was reinfected after the reformat.

-{ Quote: "You can set PE to highlight those dead sockets for longer (up to 10 seconds). Change that setting. Make sure your logging to your text file, and set it to unlimited size for now." }-
That's what I have it set to and they disappear quickly anyway. Also, when I go to view the log file I get a 'there was a failure launching Word Pad' error.

Me thinks I need to switch forums.

Problems, problems, an endless supply.

LS

LS

-{ Quote: "That's what I have it set to and they disappear quickly anyway. Also, when I go to view the log file I get a 'there was a failure launching Word Pad' error.

Me thinks I need to switch forums.

Problems, problems, an endless supply.

LS

LS" }-
Navigate to your PE directory and open it manually (pelog.txt).

Hi Lostsoul,

May I kindly ask you to run HijackThis and post your HJT-log, so the experts could have a look at it?

May I also please ask you to answer my questions, a few postings earlier? ;)

Regards, Jan.

-{ Quote: "Me thinks I need to switch forums." }-
I would follow FanJ's advise. I changed my hosts file to show:

[DNS] Resolve IP: 127.0.0.1
21:40:50 [DNS] Full name: coolwwwsearch.com
21:40:50 [DNS] IP address 1: 127.0.0.1

At minimum, your hosts file is being changed.

Nick

-{ Quote: "Hi,

First of all:
I have to leave the HijackThis-logs to the HJT-experts !

I was wondering:

1.
How is your HOSTS file looking (the one without any extension).

-{ Quote: ""Ah, I think I see," said the blind woman.

Spybot S&D has inserted their entries with my permission. The very first listing is:
127.0.0.1 coolwwwsearch.com" }-

2.
Can you show us exactly what your TDS-3 says when you do a Resolve Target Host.

-{ Quote: "[DNS] Resolve IP 127.0.0.1
[DNS] Full Name: coolwwwsearch.com
[DNS] IP Address 1: 127.0.0.1
[DNS] Resolve time: 0.046785 seconds" }-

3.
Are you using a firewall?

-{ Quote: "Yep. Zone Alarm Pro" }-

=======
About 1:
Your HOSTS file should begin with this line (at least as the first line without beginning the character #):

127.0.0.1 localhost

I see a Hosts file modification in my future.

About 2:
2-A.
When I (also at W 98 SE) do a Resolve Target Host, I get:
[DNS] Resolve IP: 127.0.0.1
[DNS] Full name: localhost
[DNS] IP address 1: 127.0.0.1
[DNS] Resolve time: 5.957031E-02 seconds.

2-B.
Now I changed my first line in HOSTS (the first line not beginning with a character #) into:
127.0.0.1 coolwwwsearch.com

And then TDS-3, Resolve Target Host, tells me:
[DNS] Resolve IP: 127.0.0.1
[DNS] Full name: coolwwwsearch.com
[DNS] IP address 1: 127.0.0.1
[DNS] Resolve time: 4.980469E-02 seconds." }-


It seems obvious in hindsight as the odd behaviour began after I reinstalled Spybot. ::smacking hand repeatedly against forehead:: ::)

I reckon the test will be when I go back to the Yahoo Game rooms to see if anything happens and if I get odd port readings.

I do not feel lucky enough to try my hand at it right now.

THANK YOU for figuring it out FanJ!!

LS

-{ Quote: "Hi Lostsoul,

May I kindly ask you to run HijackThis and post your HJT-log, so the experts could have a look at it?

May I also please ask you to answer my questions, a few postings earlier? ;)

Regards, Jan." }-

I'm falling behind on the posts as I'm just getting the hang of posting here. I just sent a reply to your post about the Hosts file and it makes perfect sense.

I'm forever in your debt! ;D

LS

Hi Lostsoul :)

No problem, I'm glad you seem to have fixed it :)

I have to admit that I myself only use Spybot S&D for on-demand scanning, so I have to leave the answer why it did that on your system to other more experienced users of Spybot S&D :-[

If you like, since you're using TDS-3, you could add your HOSTS file to your CRCfiles.txt.
See for more:
TDS-3 CRC32-test Guidelines (http://www.wilderssecurity.com/showthread.php?t=13740)
Please keep in mind that the CRC32 check of TDS-3 will only show if a file has been changed, but not why nor what changes have been made.

If you like, you could always post your HijackThis-log following these guidelines:
HOW TO? Read here about how to post your log!! (http://www.wilderssecurity.com/showthread.php?t=15913)

Hi there,
followed this thread, lots to learn and to look at.

The HOSTS file, somewhere FanJ posted to lock it, if i remember well it is right-click to see the properties and change the attributes to "read only"
If i missed something FanJ will correct this.

You can view your HOSTS file as well (and edit if you did not just lock it) via TDS too: TDS > System Analysis > View File > Network Hosts
That should open your HOSTS file to look at.

You said you can't use the wordpad and most probably notepad either in such cases.
Look for files 0 bytes small in your TDS directory and maybe in more locations, which you can delete, certainly if they are named wordpad.exe or notepad.exe 0 bytes small. Windows makes them, TDS catches them in it's directory, and thus when trying to use one of them from TDS windows looks at the 0 bytes version and thus fails. My own solution: copy the original wordpad.exe and notepad.exe from the windows directory into the TDS directory (they're only around 56 kb small so that is not too bad) and you should be able to use your wordpad and notepad well again, no matter how many times windows creates the 0 bytes version again.

If you did not post your HiJackThis log in the forum yet, please do so for the experts to check; did not see an earlier one of you in the forums here yet?
You could also as an extra post the AutoStartViewer log (from the DiamondCS products page) which shows even more then the HJT, but needs an expert view from Gavin.

For the questions relating Port Explorer if you did not do so yet please open a new thread for that in that forum so we can help you with that information.


BTW: the portref.dat for Port Explorer (update via Port Explorer > Help > Check For > New Port and Domain Databases ) and portref.txt TDS (update downloading via the TDS website) have a different extension and way of updating, but the ports are the same.

Jooske - No one ever answered one of my questions above. How is it possible the host file infection was not eliminated after a reformat? His assertion that he just completed a reformat of the PC sent me completely off in a different direction. Thanks. :-)

Had the impression that came with using the SpybotS&D which seems to have changed the HOSTS file sin this case after the reformat; it's the only possibility i see, unless a backup (with the same infections included) was put back on the cleansed discs.

If it is corrected now and comes back, it's either again a SBS&D activity or a nasty on the system somewhere still.......

-{ Quote: "Had the impression that came with using the SpybotS&D which seems to have changed the HOSTS file sin this case after the reformat" }-
Thanks, Jooske. I'm a little baffled as to why S&D would edit the Hosts file in that way. I use S&D, and have not seen that problem.

Me neither, and i'm between updating it myself to see what happens or wait till more is posted about it in the forum.

Hi D&C,

Sorry, I completely forgot your question.

Same as you and Jooske: I have to admit that I too am not sure what was causing this thing in the HOSTS file on the system of Lostsoul :-[
I agree with Jooske: it would be a good idea if Lostsoul would post a HijackThis-log (and/or AutoStartViewer-log).

Sorry again D&C !
Cheers, Jan.

This is a copy of a post made my Lowwatermark one of the administrators which suggest it ios a fault with the way spybot adds to the hosts file and not a genuine sign of an infection

-{ Quote: "
Actually, this is a problem with the way Spybot adds entries to a Hosts file. When a person goes into Spybot > Tools > Hosts File > "Add Spybot S&D hosts list"... If the system has an existing Hosts file, it opens it and appends the list of hosts it has to the bottom. That works just fine.

However, it appears that if a system does not have a Hosts file, it creates one - not unreasonable except it makes a mistake here. It does not start the file it creates with the standard line:

127.0.0.1 localhost

It just puts the list it normal adds into the empty file it just created.

# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
127.0.0.1 www.wazzupnet.com
127.0.0.1 gueb.com
127.0.0.1 kabex.com
127.0.0.1 www.hityou.com
127.0.0.1 miosearch.com
127.0.0.1 wazzupnet.com
127.0.0.1 213.131.225.2
127.0.0.1 www.blue-elefant.com
127.0.0.1 babeweb.de
127.0.0.1 start-seite.com
127.0.0.1 sexolymp.com
127.0.0.1 toriii.cc
127.0.0.1 www.xtipp.de
127.0.0.1 urawa.cool.ne.jp
127.0.0.1 777search.com
127.0.0.1 ace-webmaster.com
127.0.0.1 aifind.info
127.0.0.1 amateurliveshow.com
127.0.0.1 anarchylolita.com
127.0.0.1 anarchyporn.com
127.0.0.1 approvedlinks.com
127.0.0.1 cantfind.com
127.0.0.1 castingsamateur.com
127.0.0.1 cyberrape.com
127.0.0.1 dialerclub.com
127.0.0.1 exit.megago.com
127.0.0.1 fastmetasearch.com
127.0.0.1 findwhatevernow.com
127.0.0.1 globesearch.com
127.0.0.1 hotfreebies.com
127.0.0.1 krankin.com
127.0.0.1 live.sex-explorer.com
127.0.0.1 loveadot.com
127.0.0.1 megaseek.net
127.0.0.1 mixsearch.com
127.0.0.1 munky.com
127.0.0.1 newtopsites.com
127.0.0.1 noblindlinks.com
.
.
.
As you can see, the first line is "127.0.0.1 coolwwwsearch.com" which means that any tool that resolves the local computer's name by translating 127.0.0.1 to its host name will make the system look like it is named "coolwwwsearch.com". If the localhost line was properly added to the top of the new Hosts file created by Spybot, then it would be fine. The translation would then be "localhost" not "coolwwwsearch.com".
" }-

-{ Quote: "This is a copy of a post made my Lowwatermark one of the administrators which suggest it ios a fault with the way spybot adds to the hosts file and not a genuine sign of an infection" }-
Very interesting! Thanks dvk01 for the info. :D

This explains why there was nothing added of the kind in my HOSTS file.
FanJ i was very brave and upgraded my SBS&D, forced to as the older did not update anymore.
Looks much better, more options.